miércoles, 25 de mayo de 2011

Cross Site request forgery Vulnerabilidad

Saludos Mundo Libre.

He aqui posible vulnerabilidad en shcp.

http://www.shcp.gob.mx/Paginas/defaul.aspx



[Wed 25 May 2011 10:16:30 AM CDT] Auto-enabling plugin: grep.collectCookies

[Wed 25 May 2011 10:16:30 AM CDT] Auto-enabling plugin: grep.httpAuthDetect

[Wed 25 May 2011 10:16:30 AM CDT] Auto-enabling plugin: grep.error500

[Wed 25 May 2011 10:16:30 AM CDT] Auto-enabling plugin: discovery.serverHeader

[Wed 25 May 2011 10:16:30 AM CDT] Auto-enabling plugin: discovery.allowedMethods

[Wed 25 May 2011 10:16:31 AM CDT] Auto-enabling plugin: discovery.frontpage_version

[Wed 25 May 2011 10:16:31 AM CDT] Auto-enabling plugin: grep.passwordProfiling

[Wed 25 May 2011 10:16:31 AM CDT] Auto-enabling plugin: grep.getMails

[Wed 25 May 2011 10:16:31 AM CDT] Auto-enabling plugin: grep.lang

[Wed 25 May 2011 10:16:33 AM CDT] The page language is: es

[Wed 25 May 2011 10:16:33 AM CDT] The server header for the remote web server is: "Microsoft-IIS/6.0". This information was found in the request with id 15.

[Wed 25 May 2011 10:16:33 AM CDT] "x-powered-by" header for this HTTP server is: "ASP.NET". This information was found in the request with id 16.

[Wed 25 May 2011 10:16:33 AM CDT] "x-aspnet-version" header for this HTTP server is: "2.0.50727". This information was found in the request with id 16.

[Wed 25 May 2011 10:16:34 AM CDT] The resource: "http://www.shcp.gob.mx/Paginas/" requires authentication. The realm is: "NTLM". This information was found in the request with id 17.

[Wed 25 May 2011 10:16:46 AM CDT] The FrontPage Configuration Information file was found at: "http://www.shcp.gob.mx/_vti_inf.html" and the version of FrontPage Server Extensions is: "12.0.0.000". This information was found in the request with id 66.

[Wed 25 May 2011 10:16:46 AM CDT] The FPAdminScriptUrl is at: "_vti_bin/_vti_adm/admin.dll" instead of the default location: "_vti_bin/_vti_adm/admin.exe". This information was found in the request with id 66.

[Wed 25 May 2011 10:16:46 AM CDT] The FPAuthorScriptUrl is at: "_vti_bin/_vti_aut/author.dll" instead of the default location: "/_vti_bin/_vti_adm/author.exe". This information was found in the request with id 66.

[Wed 25 May 2011 10:16:46 AM CDT] New URL found by frontpage_version plugin: http://www.shcp.gob.mx/_vti_inf.html

[Wed 25 May 2011 10:16:46 AM CDT] Starting formAuthBrute plugin execution.

[Wed 25 May 2011 10:16:46 AM CDT] Starting basicAuthBrute plugin execution.

[Wed 25 May 2011 10:16:46 AM CDT] Starting basic authentication bruteforce on URL: "http://www.shcp.gob.mx/Paginas/".

[Wed 25 May 2011 10:16:57 AM CDT] No more user/password combinations available.

[Wed 25 May 2011 10:29:16 AM CDT] Found 3 URLs and 3 different points of injection.

[Wed 25 May 2011 10:29:16 AM CDT] The list of URLs is:

[Wed 25 May 2011 10:29:16 AM CDT] - http://www.shcp.gob.mx/Paginas/defaul.aspx

[Wed 25 May 2011 10:29:16 AM CDT] - http://www.shcp.gob.mx/_layouts/error.aspx

[Wed 25 May 2011 10:29:16 AM CDT] - http://www.shcp.gob.mx/_vti_inf.html

[Wed 25 May 2011 10:29:16 AM CDT] The list of fuzzable requests is:

[Wed 25 May 2011 10:29:16 AM CDT] - http://www.shcp.gob.mx/Paginas/defaul.aspx | Method: GET

[Wed 25 May 2011 10:29:16 AM CDT] - http://www.shcp.gob.mx/_layouts/error.aspx | Method: POST | Parameters: (__spDummyText2="", __VIEWSTATE="/wEPDwUKLT...", __spDummyText1="")

[Wed 25 May 2011 10:29:16 AM CDT] - http://www.shcp.gob.mx/_vti_inf.html | Method: GET

[Wed 25 May 2011 10:29:17 AM CDT] The resource: "http://www.shcp.gob.mx/_layouts/error.aspx" requires authentication. The realm is: "NTLM". This information was found in the request with id 11797.

[Wed 25 May 2011 10:29:17 AM CDT] The web application sent a persistent cookie.

[Wed 25 May 2011 10:29:17 AM CDT] The following scripts allow an attacker to send POST data as query string data (this makes XSRF easier to exploit):

[Wed 25 May 2011 10:29:17 AM CDT] - The URL: http://www.shcp.gob.mx/_layouts/error.aspx is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.

[Wed 25 May 2011 10:29:24 AM CDT] The URL: http://www.shcp.gob.mx/_layouts/error.aspx is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.

[Wed 25 May 2011 10:29:24 AM CDT] The FrontPage Configuration Information file was found at: "http://www.shcp.gob.mx/_vti_inf.html" and the version of FrontPage Server Extensions is: "12.0.0.000". This information was found in the request with id 66.

[Wed 25 May 2011 10:29:24 AM CDT] "x-powered-by" header for this HTTP server is: "ASP.NET". This information was found in the request with id 16.

[Wed 25 May 2011 10:29:24 AM CDT] The resource: "http://www.shcp.gob.mx/Paginas/" requires authentication. The realm is: "NTLM". This information was found in the request with id 17.

[Wed 25 May 2011 10:29:24 AM CDT] The resource: "http://www.shcp.gob.mx/_layouts/error.aspx" requires authentication. The realm is: "NTLM". This information was found in the request with id 11797.

[Wed 25 May 2011 10:29:24 AM CDT] The URL: "http://www.shcp.gob.mx/Paginas/defaul.aspx" sent the cookie: "ASP.NET_SessionId=xisilge3lt2l0a45byyqt3ur; path=/; HttpOnly". This information was found in the request with id 1.

[Wed 25 May 2011 10:29:48 AM CDT] The resource: "http://www.shcp.gob.mx/Paginas/GKVFE" requires authentication. The realm is: "NTLM". This information was found in the request with id 11947.

[Wed 25 May 2011 10:29:51 AM CDT] The resource: "http://www.shcp.gob.mx/qmvDP" requires authentication. The realm is: "NTLM". This information was found in the request with id 11955.

[Wed 25 May 2011 10:29:52 AM CDT] The resource: "http://www.shcp.gob.mx/" requires authentication. The realm is: "NTLM". This information was found in the request with id 11957.

[Wed 25 May 2011 10:30:25 AM CDT] Password profiling TOP 100:

[Wed 25 May 2011 10:30:25 AM CDT] - [1] gearPage with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [2] este with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [3] esta with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [4] Windows with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [5] SharePoint with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [6] Volver with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [7] problemas with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [8] sitio with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [9] agregado with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [10] elemento with 4 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [11] existe with 3 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] - [12] entorno with 3 repetitions.

[Wed 25 May 2011 10:30:25 AM CDT] The URL: "http://www.shcp.gob.mx/Paginas/defaul.aspx" sent these cookies:

[Wed 25 May 2011 10:30:25 AM CDT] - ASP.NET_SessionId=xisilge3lt2l0a45byyqt3ur; Path=/

[Wed 25 May 2011 10:30:25 AM CDT] - ASP.NET_SessionId=xisilge3lt2l0a45byyqt3ur; path=/; HttpOnly

[Wed 25 May 2011 10:30:25 AM CDT] Finished scanning process.





The URL: http://www.shcp.gob.mx/_layouts/error.aspx is vulnerable to cross site request forgery. It allows the attacker to exchange the method from POST to GET when sending data to the server.




Hay selas dejo.

Saludos Mundo Libre.

No hay comentarios:

Publicar un comentario